Step 2: Installing MDM Enrollment Server

  • Article

10/3/2008

The following steps show you how to install Mobile Device Manager (MDM) Enrollment Server for the MDM system. Enrollment is a one-time process that is required to join a Windows Mobile powered device to your company domain. During MDM Enrollment Server Setup, the domain certification authority issues two SSL certificates for MDM Enrollment Server. The Active Directory configuration tool, ADConfig.exe, creates the template for this certificate automatically by using the /createtemplates and /enabletemplates parameters as discussed in Step 1a: Configuring the Active Directory Domain for MDM.

Important

We strongly recommend that you use a proxy server to provide more secure Web publishing for MDM Enrollment Server on the company network. Microsoft® Internet Security and Acceleration (ISA) Server 2006, although not required, can provide this functionality. For more information about MDM perimeter network configuration, best practices, and general network deployment information, see the MDM Planning Guide.

You may install the MDM Enrollment Server, MDM Device Management Server, and MDM Administrator Tools in any order. However, the MDM Gateway Server setup must be performed after the installation of the previous components.

MDM Enrollment Server Installation Procedures

The following procedures represent a single MDM Enrollment Server installation. If you deploy multiple computers that are running MDM Enrollment Server, the related device certification authority and Administrative Web site port pages will not appear after the first MDM Enrollment Server installation. The computer that is running the SQL database instance for MDM stores the information that is collected from these pages for successive MDM Enrollment Server installations. This information is collected at the first MDM Device Management Server or MDM Enrollment Server installation. Additionally, if you deploy multiple computers that are running MDM Enrollment Server, you must enter the information for the load balancer instead of the information for the individual computer that is running MDM Enrollment Server. Even if you install only one server, you can avoid manual certificate steps later by using a load balancer. For more information about load balancers and load balancing topologies, please see MDM System Topologies in the MDM Planning Guide.

Before you install and deploy MDM by following the steps in this guide, you must first plan your deployment and configure your IT environment. To do this, follow the steps and guidelines in the MDM Planning Guide. MDM Planning and Deployment Checklists specifies the permissions and roles required to complete the following steps.

To install MDM Enrollment Server

  1. On the installation disc for System Center Mobile Device Manager (MDM), on the Setup menu, choose Enrollment Server.

  2. On the Enrollment Server Setup page, choose Next.

  3. Read the End-User License Agreement and then select the I accept the License Terms for Microsoft Software check box. Choose Next.

  4. On the Installation Directory page, type the path of the directory, or accept the default directory path, and then choose Next.

  5. On the Database Installation Options page, type the fully qualified domain name (FQDN) for the location of the computer that is running Microsoft SQL Server®. If you have a server that is running Microsoft SQL Server locally, you must still supply the FQDN and you cannot enter the value, localhost or localhost\<sqlinstance>. Select the Current Windows credentials check box, unless you can access the SQL database instance only by using another user name and password. Choose Next.

  6. On the Enrollment Server Location page, in the Configure the Enrollment Server section, type the external FQDN for MDM Enrollment Server in the External enrollment FQDN box. Type the internal FQDN in the Internal enrollment FQDN box. If you are using more than one server that is running MDM Enrollment Server, type the internal and external FQDN for the load balancer. To continue without enrollment FQDN validation, select Skip Enrollment FQDN validation (not recommended), and then choose Next.

    Note

    The internal enrollment FQDN uses the example, es.contoso.com, and the external enrollment FQDN uses the example, mobileenroll.contoso.com for MDM Enrollment Server. To clarify, the administrator must enter the FQDN of their specific MDM Enrollment Server, such as servername.yourdomain.tld. The external address is the MDM Enrollment Server address accessible from outside your company network. The internal address is the MDM Enrollment Server FQDN used from inside the company network. In some cases these FQDNs may be the same. If you are using, or will ever use, multiple servers that are running MDM Enrollment Server, you must enter the FQDN for the load balancer(s). This makes sure that Setup correctly configures the MDM certificates and service connection points (SCP).

    Cc135643.9abac74e-6ada-4f38-a88f-2ae5d6577561(en-us,TechNet.10).gif

  7. On the Enrollment Setup page, specify the port that you want to use for the Administration Web site and then choose Next. This port will be used for all MDM Enrollment Server administration. You must make sure that the port is currently not in use.

    Cc135643.81fbc0b8-e3d9-40f7-81e0-3324a74cc2d2(en-us,TechNet.10).gif

  8. On the Device Certification Authority page, in the Device Certification Authority box, type the location and the name of the certification authority that will enroll and manage the certificates for the Windows Mobile powered devices, and then choose Next. Type the certification authority in the form of <ca_server_name>\<ca_instance_name*>*. This should be a certification authority where you have the MDM certificate templates enabled.

    Cc135643.bd5ad073-a2c1-479a-b43a-186f075f8762(en-us,TechNet.10).gif

  9. On the Server Certification Authority page, in the Certification Authority box, type the location and the name of your certification authority server and then choose Next. Type the certification authority in the form of <ca_server_name>\<ca_instance_name>. This should be a certification authority where you have MDM certificate templates enabled.

    Note

    If you prefer manual certificate installation, select the Do not request certificates during setup check box (not recommended). If you choose to create certificates manually, see the following topic in the Technical Reference: Creating Manual Certificates.

    Cc135643.f78af4bc-0687-406f-8653-d24e8c15fbb7(en-us,TechNet.10).gif

  10. If you have not already configured Microsoft Update on the server, a Microsoft Update page will appear that prompts you to configure the server for Microsoft Update. Make your selection and choose Next.

  11. On the Ready to Install page, verify your selections, and then choose Install.

  12. Choose Finish to complete MDM Enrollment Server Setup. You must allow for enough time for Active Directory replication to finish.